hyperscan: fix build

.gitignore

@@ -1,3 +1,7 @@
+outputs
+result
+result-*
+source
 userdata/userdata.json
 hardware-configuration.nix
-networking.nix
+networking.nix

configuration.nix

@@ -6,27 +6,28 @@ in
 {
   imports = [
     ./hardware-configuration.nix
-
-    ./variables-module.nix
-    ./variables.nix
-    ./files.nix
-    ./users.nix
-    ./mailserver/system/mailserver.nix
-    ./mailserver/system/alps.nix
-    ./vpn/ocserv.nix
-    ./api/api.nix
-    ./api/api-module.nix
-    ./social/pleroma.nix
-    ./letsencrypt/acme.nix
-    ./letsencrypt/resolve.nix
-    ./backup/restic.nix
-    ./passmgr/bitwarden.nix
-    ./webserver/nginx.nix
-    ./webserver/memcached.nix
-    ./nextcloud/nextcloud.nix
-    ./resources/limits.nix
-    ./videomeet/jitsi.nix
-    ./git/gitea.nix
+    ./generic/api/api.nix
+    ./generic/modules/api.nix
+    ./generic/modules/userdata.nix
+    ./generic/overlays/default.nix
+    ./generic/services/backup/restic.nix
+    ./generic/services/cloud/nextcloud.nix
+    ./generic/services/git/gitea.nix
+    ./generic/services/letsencrypt/acme.nix
+    ./generic/services/letsencrypt/resolve.nix
+    ./generic/services/mail/alps.nix
+    ./generic/services/mail/mailserver.nix
+    ./generic/services/passmgr/bitwarden.nix
+    ./generic/services/social/pleroma.nix
+    ./generic/services/videomeet/jitsi.nix
+    ./generic/services/vpn/ocserv.nix
+    ./generic/services/webserver/modsecurity/default.nix
+    ./generic/services/webserver/memcached.nix
+    ./generic/services/webserver/nginx.nix
+    ./generic/system/limits.nix
+    ./generic/system/tmpfiles.nix
+    ./generic/system/userdata.nix
+    ./generic/system/users.nix
   ];
 
   nixpkgs.overlays = [ (nix-overlay) ];

generic/overlays/default.nix

@@ -0,0 +1,31 @@
+{ lib, pkgs, ... }:
+{
+  nixpkgs.config.packageOverrides = pkgs: rec {
+    spdev = import ./../pkgs { inherit pkgs; };
+  };
+
+  nixpkgs.overlays = [
+    (self: super: {
+      nginx = super.nginxMainline.override {
+        withDebug = false;
+        withStream = false;
+        modules = [
+          pkgs.nginxModules.rtmp
+          pkgs.nginxModules.dav
+          pkgs.nginxModules.moreheaders
+          pkgs.nginxModules.modsecurity-nginx
+        ];
+      };
+      hyperscan = super.hyperscan.overrideDerivation (oldAttr: {
+        patches = [
+          (super.fetchpatch {
+            # part of https://github.com/intel/hyperscan/pull/336
+            url = "https://github.com/intel/hyperscan/commit/e2c4010b1fc1272cab816ba543940b3586e68a0c.patch";
+            sha256 = "sha256-doVNwROL6MTcgOW8jBwGTnxe0zvxjawiob/g6AvXLak=";
+          })
+        ];
+      });
+
+    })
+  ];
+}

generic/pkgs/default.nix

@@ -0,0 +1,5 @@
+{ pkgs ? import <nixpkgs> { } }:
+rec {
+  libmodsecurity = pkgs.callPackage ./libmodsecurity { };
+  modsecurity-crs = pkgs.callPackage ./modsecurity-crs { };
+}

generic/pkgs/libmodsecurity/default.nix

@@ -0,0 +1,70 @@
+{ lib, stdenv, fetchFromGitHub
+, autoreconfHook, bison, flex, pkg-config
+, curl, geoip, libmaxminddb, libxml2, lmdb, lua, pcre
+, ssdeep, valgrind, yajl
+}:
+
+stdenv.mkDerivation rec {
+  pname = "libmodsecurity";
+  version = "3.0.6";
+
+  src = fetchFromGitHub {
+    owner = "SpiderLabs";
+    repo = "ModSecurity";
+    rev = "v${version}";
+    sha256 = "sha256-V+NBT2YN8qO3Px8zEzSA2ZsjSf1pv8+VlLxYlrpqfGg=";
+    fetchSubmodules = true;
+  };
+
+  nativeBuildInputs = [ autoreconfHook bison flex pkg-config ];
+  buildInputs = [ curl geoip libmaxminddb libxml2 lmdb lua pcre ssdeep valgrind yajl ];
+
+  outputs = [ "out" "dev" ];
+
+  configureFlags = [
+    "--enable-parser-generation"
+    "--with-curl=${curl.dev}"
+    "--with-libxml=${libxml2.dev}"
+    "--with-lmdb=${lmdb.out}"
+    "--with-maxmind=${libmaxminddb}"
+    "--with-pcre=${pcre.dev}"
+    "--with-ssdeep=${ssdeep}"
+  ];
+
+  postPatch = ''
+    substituteInPlace build/lmdb.m4 \
+      --replace "\''${path}/include/lmdb.h" "${lmdb.dev}/include/lmdb.h" \
+      --replace "lmdb_inc_path=\"\''${path}/include\"" "lmdb_inc_path=\"${lmdb.dev}/include\""
+    substituteInPlace build/ssdeep.m4 \
+      --replace "/usr/local/libfuzzy" "${ssdeep}/lib" \
+      --replace "\''${path}/include/fuzzy.h" "${ssdeep}/include/fuzzy.h" \
+      --replace "ssdeep_inc_path=\"\''${path}/include\"" "ssdeep_inc_path=\"${ssdeep}/include\""
+    substituteInPlace modsecurity.conf-recommended \
+      --replace "SecUnicodeMapFile unicode.mapping 20127" "SecUnicodeMapFile $out/share/modsecurity/unicode.mapping 20127"
+  '';
+
+  postInstall = ''
+    mkdir -p $out/share/modsecurity
+    cp ${src}/{AUTHORS,CHANGES,LICENSE,README.md,modsecurity.conf-recommended,unicode.mapping} $out/share/modsecurity
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    homepage = "https://github.com/SpiderLabs/ModSecurity";
+    description = ''
+      ModSecurity v3 library component.
+    '';
+    longDescription = ''
+      Libmodsecurity is one component of the ModSecurity v3 project. The
+      library codebase serves as an interface to ModSecurity Connectors taking
+      in web traffic and applying traditional ModSecurity processing. In
+      general, it provides the capability to load/interpret rules written in
+      the ModSecurity SecRules format and apply them to HTTP content provided
+      by your application via Connectors.
+    '';
+    license = licenses.asl20;
+    platforms = platforms.all;
+    maintainers = with maintainers; [ izorkin ];
+  };
+}

generic/pkgs/modsecurity-crs/default.nix

@@ -0,0 +1,42 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  version = "3.3.2";
+  pname = "modsecurity-crs";
+
+  src = fetchFromGitHub {
+    owner = "coreruleset";
+    repo = "coreruleset";
+    rev = "v${version}";
+    sha256 = "sha256-m/iVLhk2y5BpYu8EwC2adrrDnbaVCQ0SE25ltvMokCw=";
+  };
+
+  installPhase = ''
+    install -D -m444 -t $out/rules ${src}/rules/*.conf
+    install -D -m444 -t $out/rules ${src}/rules/*.data
+    install -D -m444 -t $out/share/doc/modsecurity-crs ${src}/*.md
+    install -D -m444 -t $out/share/doc/modsecurity-crs ${src}/{CHANGES,INSTALL,LICENSE}
+    install -D -m444 -t $out/share/modsecurity-crs ${src}/rules/*.example
+    install -D -m444 -t $out/share/modsecurity-crs ${src}/crs-setup.conf.example
+    cat > $out/share/modsecurity-crs/modsecurity-crs.load.example <<EOF
+    ##
+    ## This is a sample file for loading OWASP CRS's rules.
+    ##
+    Include /etc/modsecurity/crs/crs-setup.conf
+    IncludeOptional /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
+    Include $out/rules/*.conf
+    IncludeOptional /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
+    EOF
+  '';
+
+  meta = with lib; {
+    homepage = "https://coreruleset.org";
+    description = ''
+      The OWASP ModSecurity Core Rule Set is a set of generic attack detection
+      rules for use with ModSecurity or compatible web application firewalls.
+    '';
+    license = licenses.asl20;
+    platforms = platforms.all;
+    maintainers = with maintainers; [ izorkin ];
+  };
+}

generic/services/mail/mailserver.nix

@@ -13,11 +13,6 @@ in
     })
   ];
 
-  services.dovecot2 = {
-    enablePAM = lib.mkForce true;
-    showPAMFailure = lib.mkForce true;
-  };
-
   users.users = {
     virtualMail = {
       isNormalUser = false;
@@ -34,7 +29,6 @@ in
     loginAccounts = {
       "${cfg.username}@${cfg.domain}" = {
         hashedPassword = cfg.hashedMasterPassword;
-        catchAll = [ cfg.domain ];
         sieveScript = ''
           require ["fileinto", "mailbox"];
           if header :contains "Chat-Version" "1.0"
@@ -49,7 +43,6 @@ in
         name = "${user.username}@${cfg.domain}";
         value = {
           hashedPassword = user.hashedPassword;
-          catchAll = [ cfg.domain ];
           sieveScript = ''
             require ["fileinto", "mailbox"];
             if header :contains "Chat-Version" "1.0"

generic/services/webserver/modsecurity/default.nix

@@ -0,0 +1,74 @@
+{config,  pkgs, ... }:
+{
+  environment.etc."modsecurity/modsecurity_includes.conf".text = ''
+    Include /etc/modsecurity/modsecurity.conf
+    Include /etc/modsecurity/crs-setup.conf
+    Include ${pkgs.spdev.modsecurity-crs}/rules/*.conf
+  '';
+
+  environment.etc."modsecurity/modsecurity.conf".text = ''
+    SecRuleEngine On
+    SecRequestBodyAccess On
+    SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
+        "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
+    SecRule REQUEST_HEADERS:Content-Type "application/json" \
+        "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
+    SecRequestBodyLimit 13107200
+    SecRequestBodyNoFilesLimit 131072
+    SecRequestBodyLimitAction Reject
+    SecRule REQBODY_ERROR "!@eq 0" \
+        "id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+    SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+        "id:'200003',phase:2,t:none,log,deny,status:400, \
+        msg:'Multipart request body failed strict validation: \
+        PE %{REQBODY_PROCESSOR_ERROR}, \
+        BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+        BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+        DB %{MULTIPART_DATA_BEFORE}, \
+        DA %{MULTIPART_DATA_AFTER}, \
+        HF %{MULTIPART_HEADER_FOLDING}, \
+        LF %{MULTIPART_LF_LINE}, \
+        SM %{MULTIPART_MISSING_SEMICOLON}, \
+        IQ %{MULTIPART_INVALID_QUOTING}, \
+        IP %{MULTIPART_INVALID_PART}, \
+        IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+        FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
+    SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
+        "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
+    SecPcreMatchLimit 1000
+    SecPcreMatchLimitRecursion 1000
+    SecRule TX:/^MSC_/ "!@streq 0" \
+        "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
+    SecResponseBodyAccess On
+    SecResponseBodyMimeType text/plain text/html text/xml
+    SecResponseBodyLimit 524288
+    SecResponseBodyLimitAction ProcessPartial
+    SecTmpDir /tmp/
+    SecDataDir /tmp/
+    SecDebugLog /var/log/nginx/modsec_debug.log
+    SecDebugLogLevel 3
+    SecAuditEngine RelevantOnly
+    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
+    SecAuditLogParts ABIJDEFHZ
+    SecAuditLogType Serial
+    SecAuditLog /var/log/nginx/modsec_audit.log
+    SecAuditLogFormat Json
+    SecArgumentSeparator &
+    SecCookieFormat 0
+    SecUnicodeMapFile ${pkgs.spdev.libmodsecurity}/share/modsecurity/unicode.mapping 20127
+    SecStatusEngine On
+  '';
+
+  environment.etc."modsecurity/crs-setup.conf".text = ''
+    SecDefaultAction "phase:1,log,auditlog,pass"
+    SecDefaultAction "phase:2,log,auditlog,pass"
+    SecCollectionTimeout 600
+    SecAction \
+        "id:900990,\
+        phase:1,\
+        nolog,\
+        pass,\
+        t:none,\
+        setvar:tx.crs_setup_version=332"
+  '';
+}

generic/services/webserver/nginx.nix

@@ -1,11 +1,14 @@
-{ pkgs, config, ... }:
+{ lib, pkgs, config, ... }:
 let
   domain = config.services.userdata.domain;
 in
 {
+  systemd.services.nginx.serviceConfig.SystemCallFilter = lib.mkForce "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid";
+
   services.nginx = {
     enable = true;
     enableReload = true;
+    package = pkgs.nginx;
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
     recommendedProxySettings = true;
@@ -37,6 +40,10 @@ in
         sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
         sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
         forceSSL = true;
+        extraConfig = ''
+          modsecurity on;
+          modsecurity_rules_file /etc/modsecurity/modsecurity_includes.conf;
+        '';
         locations = {
           "/" = {
             proxyPass = "http://127.0.0.1:80/";

generic/system/tmpfiles.nix

@@ -24,11 +24,11 @@ in
     [
       (if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 bitwarden_rs bitwarden_rs -" else "")
       (if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 bitwarden_rs bitwarden_rs -" else "")
-      (if cfg.pleroma.enable then "d /var/lib/pleroma 0600 pleroma pleroma - -" else "")
+      (if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "")
       "d /var/lib/restic 0600 restic - - -"
       "f+ /var/lib/restic/pass 0400 restic - - ${resticPass}"
       "f+ /root/.config/rclone/rclone.conf 0400 root root - ${rcloneConfig}"
-      (if cfg.pleroma.enable then "f+ /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "")
+      (if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "")
       "f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
       (if cfg.nextcloud.enable then "f+ /var/lib/nextcloud/db-pass 0440 nextcloud nextcloud - ${nextcloudDBPass}" else "")
       (if cfg.nextcloud.enable then "f+ /var/lib/nextcloud/admin-pass 0440 nextcloud nextcloud - ${nextcloudAdminPass}" else "")

generic/system/userdata.nix

@@ -0,0 +1,6 @@
+{ pkgs, ... }:
+{
+  services = {
+    userdata = builtins.fromJSON (builtins.readFile ./../../userdata/userdata.json);
+  };
+}

generic/system/users.nix

@@ -17,7 +17,7 @@ in
         value = {
           isNormalUser = true;
           hashedPassword = user.hashedPassword;
-          openssh.authorizedKeys.keys = user.sshKeys;
+          openssh.authorizedKeys.keys = (if user ? sshKeys then user.sshKeys else []);
         };
       })
       cfg.users);

variables.nix

@@ -1,6 +0,0 @@
-{ pkgs, ... }:
-{
-  services = {
-    userdata = builtins.fromJSON (builtins.readFile ./userdata/userdata.json);
-  };
-}